chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

got authelia working as intended I believe, next is to integrate sops

Browse source
This commit is contained in:
Chris Kruining 2025-04-14 00:18:04 +02:00
parent 4a02c4c854
commit c000573635
Signed by: chris
SSH key fingerprint: SHA256:nG82MUfuVdRVyCKKWqhY+pCrbz9nbX6uzUns4RKa1Pg
1 changed files with 66 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

85
modules/system/services/auth.nix
View file

@ -31,6 +31,14 @@ in
address = "tcp://127.0.0.1:9091";
};
# administration = {
# enable = true;
# enable_ui = true;
# address = "tcp://127.0.0.1:9092";
# users = [ "chris" ];
# groups = [ "admin" ];
# };
log = {
level = "info";
format = "json";
@ -43,7 +51,7 @@ in
rules = [
{
domain = ["kaas2.kruining.eu"];
domain = ["auth.kruining.eu"];
policy = "bypass";
}
{
@ -62,8 +70,8 @@ in
cookies = [
{
domain = "kruining.eu";
authelia_url = "https://kaas2.kruining.eu";
default_redirection_url = "https://kaas.kruining.eu";
authelia_url = "https://auth.kruining.eu";
default_redirection_url = "https://media.kruining.eu";
name = "authelia_session";
}
];
@ -86,16 +94,41 @@ in
identity_providers.oidc = {
jwks = [
{ key = ''{{ secret "/config/secrets/oidc/jwks/rsa.2048.key" | mindent 10 "|" | msquote }}''; }
{
# Authelia wants at least one private RSA key (why not just allow ecdsa is beyond me)
key = "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrkJ2iCcGbZwr9\ntWGiQLzL1OV7WoC8OpRIvtVusyJ6YQGkcB9F3PV+wjzBCojIibjMpWci6vq7sZQp\nnttRsXIBRxyhUoWcg1X8zR2ebFPMqPkfQEYhCPxts/5iaVwESt+77RAeaoJu6Va4\n6ugCHUsujMDGNhXNHWNn1euXT/jnTID8zT2eff8XYItK/vAJgv9ZbDDcamZFqNAK\nWBLGQZGO5GGCDtp99yFlGgG8zhaYpqw/eC/DhRr/O0N0PkQBRsD0mJ5aWCeVIVKB\nP/W35L23XFlgupOcWpZ4Bf7ivjxfakBHq/yYcvq60a9LjwLW+QXyvdvWe7jdV+Bp\nON9VlJ1PAgMBAAECggEANT8o7UWB5S1R5/QHXUgiUFC++E3abpDvvLQdocHPDZRV\n4ic6TYCKYND/8hnG4hZ8WGdtXxT2xJIUneZDw1MDQwpDBH6MIUtRwKgYbTbJu1cm\nGmDkYxRa4+FdLkXs3Rgv4C9vNUFxQeMBm1qsrxtQXh4pJlta4NIiK/Pkro2Pfplp\nyKb5E7HhusHiLqezcPhErYnYQmLPtmInqfQnBAsGehiY6ZL3TMIGTo1FDrIEhu9q\nz31WaK8NuNd/bUqiEdFIVtNt3cSOfqCrtC20LwTIYiv/tDz0ahFOCA42vHSdkz35\nnO1dEkP2YCimTHbw9KwHmzkYL6Q2jd89L8/oCe2dYQKBgQDRz2pvfJjdb4FXLRH/\n/iEsDseRu2z2fg7SBNMloTV/dQGpvBgsEZDWlJw7NyIm2rlZ0kkae9QfLECJeT6A\nZuXnOuUDNUBE5/nj2DBC34gHotpErcJBTlKmr/KfILnh1uDVwLizYNQ6KZ6s3EK8\nSvLXNbEDrJ3HkQbs6OPtZsEVawKBgQDRVcCf+8wxdK1AF474F1E9zAvN8i5+6xIW\nb+YUDuueCzJf8h3wU9Chf/ItEtknw1CHQFNOmLodtQJgGzGDG0R6xmQnfUQIsky1\nO3HDs4xlCggfq9AWm+RKr5r3T34CiJfA4ZUq6i2FKNkdQREArJWcC4cjRItZvGj6\nKJ5ZRDBsrQKBgCnD9lYXIX8DEWY/LJQfDI9uqb+S5c/zrBOWrkmRW8rxidE2BkHP\nhVuR3b/T69J8O+VrfO3utH04G+jB3/VDhoSPLsOCuDZ/TzlR8dl+EeAjRPvi8wZ5\nBu7zm4KdyyLv2XXzlVDv949UdafHeOluqgS5RXGLzSTK8+v5OFYr3EfdAoGAJIP4\n3e9mZxobPprdbZljqov1Yy9jvO/0b8WFNOqFX0REvUfWwR1dv046SHKJPs5rNaya\n25L4pEX27BzSPjR7dY812U2YmIvBpbuA1Mp1Kwrc7+lgmxEGeaC4P3u2V2rMTfEL\nvDitSBUgCmJXPO7eCiJYqGZEiJq9FSYQuTGT4OECgYEAjR+dtmZkcszRo77XdXDo\nRFMlx47R5Xk4R2+faYneCkNJ/MqZdeQ3CxcfQFQHpNJb+1kacXusRDvlm2/777fj\nCOLxaxY6akOEG6dkgmWHzzm9JpmZ63g0I9k+C3zbyQnFyNRQmNW2gGCVwekRmAz+\n/a98+6ip2LRkTQYhZ064rfc=\n-----END PRIVATE KEY-----";
}
];
clients = [
{
client_id = "jellyfin";
client_name = "Jellyfin";
client_secret = "$pbkdf2-sha512$310000$X1uesLwLAp4Uy4kR7EWJDQ$uuhPXujOJeR/1YmoVCZAX.V5oHQMpnioeXgDYQN8zLcWbOOWMIqKWSeLvPXPQoxhFKE8o/hOlfqJOuHUug6eTQ";
# af0WDhM6DILapBO.8Puu8IR1tyXLPqQNUoROgx4A8JWVIxRno4IhvXCMaN1zveuJzw1yw2h3
client_secret = "$pbkdf2-sha512$310000$9C/krTomC0MUJ2QosHwEKA$43H4gm6yaz.fU5eZsN/KxPDuL/S4jPjaNOcAKyU/uz7IVNDSQo71XQ3sqKZITZ/FLYTN5kxTlVUhEMB9Orlh1g";
token_endpoint_auth_method = "client_secret_post";
public = false;
require_pkce = true;
pkce_challenge_method = "S256";
authorization_policy = "one_factor";
userinfo_signed_response_alg = "none";
consent_mode = "implicit";
scopes = [ "openid" "profile" "groups" ];
redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/authelia" ];
}
{
client_id = "streamarr";
client_name = "Streamarr";
# ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F
client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg";
public = false;
require_pkce = true;
pkce_challenge_method = "S256";
token_endpoint_auth_method = "client_secret_post";
authorization_policy = "one_factor";
redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/" ];
userinfo_signed_response_alg = "none";
consent_mode = "implicit";
scopes = [ "openid" "email" "picture" "profile" "groups" ];
redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ];
}
];
};
@ -136,13 +169,36 @@ in
users:
chris:
disabled: false
displayname: chris
# password of password
password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs
email: chris@kruining.eu
displayname: Chris Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$xl+ILZXFedOXb0Vb/Pao0Q$jfTun8xPYLQNcsjZCcyCeXMzxHAQWOtR7+4BJ+VS6n4
email: 'chris@kruining.eu'
picture: 'https://avatars.githubusercontent.com/u/5786905?v=4'
groups:
- jellyfin-admins
- jellyfin-users
- admin
- dev
jacqueline:
disabled: false
displayname: Jacqueline Bevers
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
martijn:
disabled: false
displayname: Martijn Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
andrea:
disabled: false
displayname: Andrea Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
'';
};
};
@ -151,15 +207,6 @@ in
enable = true;
virtualHosts = {
"auth.kruining.eu".extraConfig = ''
respond "AUTH"
# reverse_proxy http://127.0.0.1:9091
'';
"kaas.kruining.eu".extraConfig = ''
import auth
respond "KAAS"
'';
"kaas2.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
};